1. Governing Texts

1.1. Legislation

• Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA')
• Regulations Relating to the Protection of Personal Information (2018)

1.2. Regulatory authority guidance

The Information Regulator ('the Regulator') has not yet published any guidance on vendor privacy contracts.

1.3. Regulatory authority templates

The Regulator has not yet published any templates.

2. Definitions

Data controller:  There is no definition of 'data controller' in POPIA. However, Section 1 of POPIA defines 'responsible party' as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

Data processor:  There is no definition of 'data processor' in POPIA. However, Section 1 of POPIA defines 'operator' as a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

As stated above in section 2, the definition for operator under Section 1 of POPIA indicates that they operate under the terms of a contract or mandate with the responsible party.

3.2. What content should be included?

POPIA does not clarify the content that should be included within the contract between the responsible party and the operator.

However, according to Section 20 of POPIA, an operator or anyone processing personal information on behalf of a responsible or an operator, must, unless required by law or in the course of the proper performance of their duties:

• process such information only with the knowledge or authorisation of the responsible party; and
• treat personal information which comes to their knowledge as confidential and must not disclose it.

Furthermore, according to Section 21(1) of POPIA, a responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in Section 19 of POPIA.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

POPIA does not explicitly refer to operator requirements regarding handling of data subject requests.

For further information, see South Africa – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

POPIA does not explicitly refer to operator requirements regarding keeping records of their processing activities.

6. Security Measures

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

As above mentioned in section 3.1., the contract between the responsible party and operator must ensure that the operator maintains the security measures in Section 19 of POPIA.

Section 19 (1) clarifies that a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisations measures to prevent:

• loss of, damage to or unauthorised destruction of personal information; and
• unlawful access to or processing of personal information.

Section 19(2) continues that, in order to give effect to subsection (1), the responsible party must take reasonable measures to:

• identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
• establish and maintain appropriate safeguards against the risks identified;
• regularly verify that the safeguards are effectively implemented; and
• ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

According to Section 21(2) of POPIA, the operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.

For further information, see South Africa – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

Section 20 of POPIA, as mentioned in section 3.2. above, refers to operators as well as anyone processing personal information on behalf of a responsible party or an operator.

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Section 72 of POPIA outlines that binding corporate rules are adhered to by a responsible party or operator within the relevant group of undertakings.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

POPIA does not explicitly refer to operator requirements regarding the assistance of controllers with regulatory investigations.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Requirements regarding the appointment of information officers are not specified in POPIA.

For further information, see South Africa – Data Protection Officer Appointment.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

As mentioned above in section 3, an operator processes personal information for a responsible party without coming under their direct authority and the responsible party must ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in Section 19 of POPIA.

Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.